Arby’s Breach Put Credit Union Cardholders at Risk
Another breach at a fast-food restaurant, this time at Atlanta-based restaurant chain Arby’s, once again puts credit union cardholders at risk, in an incident reminiscent of the Wendy’s hack in 2016.
According to cybersecurity expert Brian Krebs, sources at nearly a half-dozen banks and credit unions independently inquired about a data breach at Arby’s, which told KrebsOnSecurity it recently remediated a breach involving malicious software installed on payment card systems at hundreds of its restaurant locations nationwide.
Arby’s Restaurant Group, Inc. said the company first received notification in mid-January about a breach at some stores, but it did not reveal it publicly at the FBI’s request.
Reportedly, the initial clues about a possible breach came in a non-public alert from PSCU, which serves more than 800 credit unions, advising that PSCU received long lists of compromised card numbers from Visa and MasterCard involving more than 355,000 credit and debit cards issued by PSCU member financial institutions. The PSCU notice estimated the breach occurred between Oct. 25, 2016 and January 19, 2017.
“The situation surrounding the Arby’s data breach is fluid, and PSCU’s investigation is ongoing. We are continuing to monitor the situation on behalf of our member-owner credit unions in order to assess the impact on those credit unions that were affected, as well as to help mitigate fraud losses associated with the breach.” Jack Lynch, chief risk officer at PSCU, told CU Times.
“Arby’s Restaurant Group, Inc. was recently provided with information that prompted it to launch an investigation of its payment card systems,” the company said in a written statement provided to KrebsOnSecurity. Upon learning of the incident, ARG said it immediately notified law enforcement and took measures to contain this incident.
Arby’s said the breach-involved malware on payment systems inside Arby’s corporate stores, and did not touch all corporate store or any of Arby’s franchised locations. Arby’s has over 3,330 U.S. stores with about a third corporate-owned. “We have fully contained and eradicated the malware that was on our point-of-sale systems,” Christopher Fuller, Arby’s SVP of communications, said in statement.
NAFCU, which said it is the first financial trade organization to call for national data security standards for retailers, continues to push for legislative action on Capitol Hill.
“The continuing saga of retail data breaches have become a national nightmare. Cybercriminals are on a binge to capture American consumers’ valuable personal and financial data at every opportunity. The lack of a national standard of protection for merchants makes it easier for them,” NAFCU and CEO Dan Berger said in a statement. “Last year, the number of data breaches shattered all records and climbed 40% higher than reported in 2015,” said Berger. “And there is no sign of the criminals letting up. This breach is another example of why Congress must act to implement national data security standards for retailers now.”
In May 2016, Wendy’s said it believed a hack compromised about 300 of its franchises. Then in June, the Dublin, Ohio-based, fast food chain confirmed the data breach of customer payment card data at 1,025 of its restaurants nationwide dating back to the fall 2015.
In June, the Michigan Credit Union League, its members, and CUNA advocated for stronger merchants and card network accountability after the breach forced several credit unions to cover associated costs. CUNA also announced it was also joining a data breach lawsuit against the restaurant chain.
Berger issued a statement at that time in light of Wendy’s breach: “Congress must act to implement national data security standards for retailers. Without these standards, essentially every time consumers use their credit or debit card they are gambling to see when their data will be breached, not if."
In October 2016, one financial institution, the $301-million Jackson, Mich.-based American 1 Credit Union revealed total losses to that date, due to the Wendy’s cyberattack, were equal to the losses taken with the 2014 Home Depot data breach and continued to grow. During the Home Depot cyberattacks, American 1 reissued over 4,200 cards and paid for 89% of member losses out of pocket.